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WHAT IS CLAIMED IS: 

1 . A method of implementing Internet protocol security in a mobile IP 
network, comprising the steps of: 

initiating communication from a first node to a second node; 

checking by the first node if any security association is established 
with the second node; and 

initiating by the first node establishment of a security association for 
protecting communications with the second node if no security association is 
established with the second node. 

2. A method as recited in claim 1 , wherein the second node is a mobile 
node situated away from its home link. 

3. A method as recited in claim 2, wherein the first node initiates 
communication with the second node by sending a control packet to the second 
node through the second node's home agent and the second node in response 
returns a binding update to the first node. 

4. A method as recited in claim 1, wherein the security association 
established employs a Kerberos key exchange method. 

5. A method as recited in claim 4, wherein at least one of the first and 
second nodes uses a secret key established in Layer 2 for Layer 3 authentication. 

6. A method as recited in claim 1 , wherein the network has security 
association managers, and the security association is established by the security 
association managers. 

7. A method as recited in claim 1 , wherein the first and second nodes 
have a subscriber identification module, and the security association established is 
stored in the subscriber identification module. 
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8. A method as recited in claim 1 , wherein the security association has 
a long lifetime and is used over multiple sessions of communications between the 
first and second nodes. 

9. A method as recited in claim 1, wherein the communication is a 
real-time interactive digital data communication. 

10. A method as recited in claim 9, wherein the real-time interactive 
digital data communication is voice over Internet protocol. 

11. A method as recited in claim 1 , wherein the network complies with 
International Mobile Telecommunications-2000 standards. 

12. A method for implementing Kerberos-based Internet security 
protocol in a mobile IP network, comprising the steps of: 

establishing a Layer 2 secret key between a node and a base 
transceiver station when the node is establishing wireless connection with the base 
transceiver station; 

reporting the established Layer 2 secret key from a Layer 2 to a 
Layer 3 in the node; and 

using the reported Layer 2 secret key to authenticate the node to the 
network when the node logs in the network. 

13. A method as recited in claim 12, wherein the communication is a 
real-time interactive digital data communication. 

14. A method as recited in claim 13, wherein the real-time interactive 
digital data communication is voice over Internet protocol. 

15. A method as recited in claim 1 2, wherein the network complies with 
International Mobile Telecommunications-2000 standards. 

16. An IP network comprising: 

nodes communicate with each other over the network; 
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security association mangers provided in the network for managing 
security associations for the nodes, wherein when asked by a first node that needs 
to communicate with a second node, a security association manager returns to the 
first node a security association previously established for communication with the 
second node if the security association remains stored inside thereof, and if there is 
no security association stored for communication with the second node, the 
security association manager conducts establishment of a security association, 
stores the security association inside thereof and distributes it to the first node. 

17. An IP network as recited in claim 16, wherein the network adopts a 
Kerberos key exchange method and has a key distribution center for distributing 
session keys to the security association managers for nodes that need to make 
communications. 

18. An IP network as recited in claim 17, wherein the security 
association manager requests the key distribution center to issue a session key. 

19. A method as recited in claim 1 6, wherein the communication is a 
real-time interactive digital data communication. 

20. A method as recited in claim 19, wherein the real-time interactive 
digital data communication is voice over Internet protocol. 

21 . A method as recited in claim 16, wherein the network complies with 
International Mobile Telecommunications-2000 standards. 



